Hi,
We have problems with authorization to the nfs mounted share with sec=krb5 in multi domain
AD forest environment.
When server, client and user are from the same native domain, user’s login,nfs+krb mount
and access to nfs mounted share works fine.
server(a)nat.c.example.com
client(a)nat.c.example.com
user-n(a)nat.c.example.com
When user is from another domain, login(via ssh, GUI) and nfs+krb mount works; User gets
‘Permission denied ‘ to the nfsshare for rw
server(a)nat.c.example.com
client(a)nat.c.example.com
user-a(a)adm.c.example.com
AD user test accounts (user-n, user-a) have Posix attributes ;
AD groups for Posix enabled users have Posix gids;
Test users are members of universal group usr-sdu-glu(a)c.example.com;
SSSD is configured identically on client and server:
[sssd]
domains =
nat.c.example.com
config_file_version = 2
services = nss, pam
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/nat.c.example.com]
debug_level = 9
ad_domain =
nat.c.example.com
ad_hostname =
host.nat.c.example.com
krb5_realm =
NAT.C.EXAMPLE.COM
#cache_credentials = True
id_provider = ad
access_provider = ad
chpass_provider = ad
auth_provider = ad
#
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
#use_fully_qualified_names = True
fallback_homedir = /home-local/%d/%u
ldap_user_principal = userPrincipalName
------
On client machine , in the “Permission denied” session, all AD groups, ids are shown
correctly using id, getent ;
Obviousely configuring nfs idmaping requires special attention in multi domain trust (
doesn’t seem trivial using UMICH method!).
May be some other AD specifics should be considered as well .
In the SSSD documentation is mentioned PAC service.
Here come my questions:
Do we need PAC service enabled to get properly resolved AD groups in Kerberos context
between domains?
IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate SSSD
plugin nfsidmap_sss.so introduced first in 1.12.1?
Best,
Longina